1 Security principles Firewalls and NAT These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (
2 Host vs Network Security Host security Rules, policies and practices that are applied to the host itself Passwords, ACLs, roles and groups, system integrity (checksum), resource audit, encryption If not automated, doesn't scale No global way of enforcing which services can be reached from the network Threats: buffer overflow, brute force, social engineering
3 Host vs Network Security Network security Rules, policies and practices that target network traffic and services Rules/Filters, traffic analysis, penetration testing, anti-spoofing, encryption Doesn't concern with local security on the host Global way of protecting access to the resources of a network Threats: DoS, portscan, buffer overflow, spoofing, sniffing
4 What is a Firewall? Device (software, hardware) enforcing selective access (allow, deny) between different security domains, based on rules In plain speak: traffic police
5 What Does a Firewall Do? Selectively grant or reject access to network traffic between hosts or networks belonging to different security domains Domains can be local or remote (LAN, Internet) The rules can apply to the traffic at different levels The rules may be explicit or implicit (difference between stateful and stateless)
6 What Does a Firewall Do? The goal is to protect your network from undesired traffic It doesn't matter if an attack originates from the inside or outside... You have a responsibility to protect the rest of the Internet from your systems Maybe your users are well behaved But you may have been hacked, or infected by a virus or spyware sending spam
7 Where Does One Use a Firewall? The firewall must be located between security domains Example above: between Internet and LAN
8 Where Does One Use a Firewall? The firewall acts as a choke point for all traffic (just like a router in a simple network setup) Enforces traffic rules in one location Advantage: single point of control, no need to configure rules on every machine Downside: single point of failure!
9 What is a Firewall DMZ? Demilitarized zone (military term) An isolated network that is separated from the internal (trusted) and the external (untrusted) networks. It is used to place hosts which provide services to both the internal and external networks Hosts in the DMZ can be considered as semi-trusted
10 DMZ using a three-legged firewall
11 Why is the DMZ a good idea? If your external-facing servers are compromised, you don t expose your internal trusted network Provides a clear separation of traffic flows Reduces the complexity of filtering
12 What About NAT? NAT translates source and destination addresses on packets flowing between two networks NAT requires state keeping Typically, one uses PAT (Port Address Translation) # of private IPs > # of public IPs overload the public IPs by using multiple source ports to keep track of the private IPs
13 What About NAT? NAT is not synonymous with anonymity and security! Those are a side effect NAT alone does not protect from attacks if the attacker is on your external network, and sending packets to your inside hosts via the firewall (with static translations) If the firewall doesn't explicitly reject this traffic, it might get through!
14 What About NAT? NAT has problems It breaks certain applications FTP, SIP, H.323, etc. It makes forensic work difficult If somone from your internal network attacks an external host, and you are required to provide the identity of the attacker, you will need to maintain copies of your NAT translation states
15 Summary Firewalls are located between different parts of a network Can be inside / outside, but it can also be sales / engineering / production Firewalls can operate at different levels They can look not only at the IP headers, but also at the TCP/UDP headers, application headers and contents Stateful firewalls are to be preferred over simple packet filters
17 A Firewall for Linux: iptables Current Linux distributions come with the ip_tables packet filter either built-in to the kernel (versions 2.4 and up) or available as a module. The command line interface is: iptables iptables6 (IPv4) (IPv6)
18 What Can iptables Do? With iptables you can: Create firewall rules Configure Network Address Translation Mangle packets on the fly Can be configured by hand, via scripts, using third party tools Block packets until a user is authenticated Etc For now we will concentrate on firewalls
19 iptables Rulesets: What to Filter As you create iptables rules remember you must decide what protocols you are filtering: tcp udp icmp and, specific port numbers iptables has many protocol specific options
20 iptables Complexity The first thing you should do to understand iptables after this class is: Really! Do this. man iptables! There are many, many, many options available. There are many, many, many custom modules available.
21 The Three iptables Tables filter table The iptables filter table is the default table for rules, unless otherwise specified. nat table The network address translation or nat table is used to translate the source or destination field in packets. mangle table The mangle table is used to alter certain fields in the headers of IP packets.
22 iptables filter Table Chains The filter table has three built-in chains that packets traverse: 1.INPUT: Packets destined for the host. 2.OUTPUT: Packets created by the host to send to another system 3.FORWARD: Packets received by the host that are destined for another host You can create your own chains as well. We ll do this later.
23 Packet Traversal of iptables On the next slide you can see where the filter table and the INPUT, FORWARD and OUTPUT chains reside within iptables. If you don t specify any nat or mangle table rules, then packets traverse these tables with no effect. For initial firewalls we concentrate on applying packet filtering rules to packets traversing the filter table, INPUT chain.
24 iptables Packet Traversal For this introduction to iptables we spend most of our time applying rules in the yellow box or, for packets going in to our host destined for local processes. For packets leaving from our host we would filter these in the filter table, OUTPUT chain. For packets passing through our host to another network (such as using NAT) we filter these in the filter table, FORWARD chain. Diagram courtest of: Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
25 iptables Summary As you build rules for iptables be mindful of how incoming, outgoing and forwarded packets traverse the various tables and chains. iptables is a very powerful tool. Starting simple and building as you learn and understand more about iptables is a good strategy.
27 Building a Firewall Ruleset Two basic approaches: 1. Allow everything by default, filter the bad things Very quickly unmanageable! What is bad? 2. Block everything by default, allow only what you know you should be allowing More work in the beginning Easier in the long run
28 Building a Firewall Ruleset Some firewalls have a first match principle, others last match : 1. allow ip from A to B 2. deny ip from any to any In the above example, ip traffic from A to B will be allowed if the firewall software stops on the first match (rule 1). If the firewall is last match, the traffic will be denied (last rule to match is 2)
29 Building a Firewall Ruleset Be careful not too be too conservative when filtering certain protocols Many ICMP messages should be allowed as they can carry important information about network status (congestion, reachability) Most stateful firewalls automatically allow ICMP messages that are related to a known active connection DNS is much more than 512 byte UDP packets on port 53
30 Remember... A firewall with very strict rules doesn't help if users are allowed to ssh from computer to computer Once an evildoer is inside the network, it can be too late... A hard crunchy shell around a soft chewy centre Bill Cheswick / Steve Bellovin It's not enough to only focus on network security!
32 Building an iptables Ruleset There are so many ways to build rulesets with iptables, many available tools and even more opinions about what s best! But, in general 1. Create an initial iptables ruleset using the iptables command line interface (CLI). 2. Save your ruleset out to a file. 3. Configure your box to use the ruleset at system start. 4. Edit the saved ruleset file to create more complex rulesets, make updates, etc. 5. Test your ruleset! Critical. Be sure it works as expected.
33 Complexity and Power A nice feature of iptables is the ability to filter on complex and dynamic protocols and actions, such as ftp, irc, number of failed attempts, connection attempts by ip or ranges and much more.
34 A Simple Example Block ping (icmp echo request) locally: iptables -A INPUT -p icmp --icmp-type echo-request -i lo -j DROP! What s going on? 1. -A Append this rule to the INPUT chain 2. -p protocol 3. --icmp-type echo-request 4. -i input interface 5. -j DROP jump to the target DROP
35 A Simple Example cont. Remove our ping blocking rule: iptables -D INPUT -p icmp --icmp-type echo-request -i lo -j DROP! What s going on? -D: Delete the following specification How to test this: ping ! By the way should you block ping? (NO!!!)
36 A More Complex Example Block SSH login attempts after three failures in five minutes:!iptables -N SSHSCAN iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH iptables -A SSHSCAN -m recent --update --seconds hitcount 3 --name \!SSH -j DROP! What s going on here? This works because iptables is a stateful firewall. It remembers packets coming from the same origin address.
37 A More Complex Example cont. 1. iptables -N SSHSCAN! Create a New chain named SSHSCAN 2. iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN!!For the tcp protocol packets connecting on port 22 (SSH) load the state module and look for new connections if this matches, then jump to the next SSHSCAN target.!
38 A More Complex Example cont. 3. iptables -A SSHSCAN -m recent --set --name SSH! For the SSHSCAN chain load the recent module which will set and check work based on user-definable fields and timers, then add the source address of the associated packets (--set), and finally specify a list name to use for commands (--name SSH).
39 A More Complex Example cont. 4. iptables -A SSHSCAN -m recent --update --seconds hitcount 3 --name SSH -j DROP Scan the SSH list of IP addresses and see if there have been three separate connection attempts within the last 300 seconds (5 minutes). If there is a match, drop the packet and update the timestamp on the packet.
40 Complex Rulesets The last example can be refined to: Allow certain addresses to be excluded: iptables -A INPUT -p tcp --dport 22 -s $WHITE_LIST_IP -j ACCEPT To log connection attempts: iptables -A SSHSCAN -m recent --update --seconds hitcount 3 --name SSH -j LOG --log-level info --log-prefix "SSH SCAN blocked: More Details available at: -block-brute-force-attacks/
41 Basic iptables Commands iptables -F Flush all iptables rules iptables -L List all iptables rules iptables I <chain> [num] <rule> Insert rules in the given chain, as the given rule number. If no number is specified, insert at the head of the chain iptables A <chain> <rule> Append rules to the end of the selected chain
42 Basic iptables Commands cont. iptables L INPUT View all INPUT chain rules iptables -I INPUT -s " " -j DROP Block an IP address iptables -I INPUT -s " /24" -j DROP Block a range of IP addresses iptables -I INPUT -s " j ACCEPT Unblock an IP address iptables -A INPUT -p tcp --dport 25 -j DROP! iptables -A INPUT -p udp --dport 25 -j DROP Block access to a port (SMTP) for both tcp and udp
43 iptables Connection Tracking The iptables connection tracking feature is the ability to maintain connection information in memory. It can remember connection states such as established and new connections along with protocol types, source and destination ip address. You can allow or deny access based upon state.
44 iptables Connection Tracking cont. Connection tracking uses four states: NEW - A Client requesting new connection via firewall host ESTABLISHED - A connection that is part of already established connection RELATED - A connection that is requesting a new request but is part of an existing connection. INVALID - If none of the above three states can be referred or used then it is an INVALID state.
46 Some Food for Thought Complex firewall rule sets need to be broken down and modular. Don't just add! Tables, groups, macros and variables Check with your ISP to know what they filter - for example, it does not help to filter nefarious traffic on your side (downstream) of the connection, if it is a denial of Service - it is too late!
47 A Firewall for Linux: iptables The iptables project is located here: Extensive documentation is available: An Ubuntu iptables HowTo A CentOS (RedHat) iptables HowTo
Firewalls Chien-Chung Shen firstname.lastname@example.org The Need for Firewalls Internet connectivity is essential however it creates a threat vs. host-based security services (e.g., intrusion detection), not cost-effective
Red Hat Docs > Manuals > Red Hat Enterprise Linux Manuals > Red Hat Enterprise Linux 4: Security Guide Chapter 7. Firewalls http://www.redhat.com/docs/manuals/enterprise/rhel-4-manual/security-guide/ch-fw.html
Firewalls Pehr Söderman KTH-CSC Pehrs@kth.se 1 Definition A firewall is a network device that separates two parts of a network, enforcing a policy for all traversing traffic. 2 Fundamental requirements
+ iptables packet filtering && firewall + what is iptables? iptables is the userspace command line program used to configure the linux packet filtering ruleset + a.k.a. firewall + iptable flow chart what?
Firewall implementation and testing Patrik Ragnarsson, Niclas Gustafsson E-mail: email@example.com, firstname.lastname@example.org Supervisor: David Byers, email@example.com Project Report for Information
CSC-NETLAB Packet filtering with Iptables Group Nr Name1 Name2 Name3 Date Instructor s Signature Table of Contents 1 Goals...2 2 Introduction...3 3 Getting started...3 4 Connecting to the virtual hosts...3
Linux Firewalls (Ubuntu IPTables) II Here we will complete the previous firewall lab by making a bridge on the Ubuntu machine, to make the Ubuntu machine completely control the Internet connection on the
Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context
ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
Firewall Lab This lab will apply several theories discussed throughout the networking series. The routing, installing/configuring DHCP, and setting up the services is already done. All that is left for
Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Internet (In)Security Exposed Prof. Dr. Bernhard Plattner With some contributions by Stephan Neuhaus Thanks to Thomas Dübendorfer, Stefan
CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015 Firewalls A firewall... is a physical barrier inside a building or vehicle, designed to limit the spread of fire, heat
CSC574 - Computer and Network Security Module: Firewalls Prof. William Enck Spring 2013 1 Firewalls A firewall... is a physical barrier inside a building or vehicle, designed to limit the spread of fire,
Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds firstname.lastname@example.org What is Firewall? A firewall
CS 5410 - Computer and Network Security: Firewalls Professor Patrick Traynor Spring 2015 Firewalls A firewall... is a physical barrier inside a building or vehicle, designed to limit the spread of fire,
Network Security Management TWNIC 2003 Objective Have an overview concept on network security management. Learn how to use NIDS and firewall technologies to secure our networks. 1 Outline Network Security
ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users
Firewalls with IPTables Jason Healy, Director of Networks and Systems Last Updated Mar 18, 2008 2 Contents 1 Host-based Firewalls with IPTables 5 1.1 Introduction.............................. 5 1.2 Concepts...............................
Summer Course at Mekelle Institute of Technology. July, 2015. Linux Routers and Community Networks Llorenç Cerdà-Alabern http://personals.ac.upc.edu/llorenc email@example.com Universitat Politènica de
CSE543 - Computer and Network Security Module: Firewalls Professor Trent Jaeger Fall 2010 1 Firewalls A firewall... is a physical barrier inside a building or vehicle, designed to limit the spread of fire,
Protecting and controlling Virtual LANs by Linux router-firewall Tihomir Katić Mile Šikić Krešimir Šikić Faculty of Electrical Engineering and Computing University of Zagreb Unska 3, HR 10000 Zagreb, Croatia
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
Mikrotik Security IP -> Services Disable unused services Set Available From for appropriate hosts Secure protocols are preferred (Winbox/SSH) IP -> Neighbors Disable Discovery Interfaces where not necessary.
Linux firewall Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users Linux firewall Linux is a open source operating system and any firewall
Linux Networking: IP Packet Filter Firewalling David Morgan Firewall types Packet filter Proxy server 1 Linux Netfilter Firewalling Packet filter, not proxy Centerpiece command: iptables Starting point:
Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch
FIREWALL AND NAT Lecture 7a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 3, 2015 Source of most of slides: University of Twente FIREWALL An integrated collection of security
Firewalls Carlo U. Nicola, SGI FHNW With extracts from slides/publications of : John Mitchell, Stanford U.; Marc Rennhard, ZHAW; E.H. Spafford, Purdue University. CINS/F1-01 Topics 1. Purpose of firewalls
Firewall Tutorial KAIST Dept. of EECS NC Lab. Contents What is Firewalls? Why Firewalls? Types of Firewalls Limitations of firewalls and gateways Firewalls in Linux What is Firewalls? firewall isolates
1 Firewall Basics - Introduction to Firewalls - Traditionally, a firewall is defined as any device (or software) used to filter or control the flow of traffic. Firewalls are typically implemented on the
Manuale Turtle Firewall Andrea Frigido Friweb snc Translator: Emanuele Tatti Manuale Turtle Firewall by Andrea Frigido Translator: Emanuele Tatti Published 2002 Copyright 2002, 2003 by Friweb snc, Andrea
Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts
CIS 433/533 - Computer and Network Security Firewalls Professor Kevin Butler Winter 2011 Computer and Information Science Firewalls A firewall... is a physical barrier inside a building or vehicle, designed
Introduction Prior to iptables, the predominant software packages for creating Linux firewalls were 'IPChains' in Linux 2.2 and ipfwadm in Linux 2.0, which in turn was based on BSD's ipfw. Both ipchains
Firewalls P+S Linux Router & Firewall 2013 Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network
Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of
Internet infrastructure Prof. dr. ir. André Mariën (c) A. Mariën 31/01/2006 Topic Firewalls (c) A. Mariën 31/01/2006 Firewalls Only a short introduction See for instance: Building Internet Firewalls, second
FIREWALLS & CBAC firstname.lastname@example.org Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
IPv6 Firewalls ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok Last updated 17 th May 2016 1 Acknowledgements p Contains material from n Stallings and Brown (2015) n Ian Welch (Victoria
Worksheet 9 Linux as a router, packet filtering, traffic shaping Linux as a router Capable of acting as a router, firewall, traffic shaper (so are most other modern operating systems) Tools: netfilter/iptables
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
CSE331: Introduction to Networks and Security Lecture 12 Fall 2006 Announcements Midterm I will be held Friday, Oct. 6th. True/False Multiple Choice Calculation Short answer Short essay Project 2 is on
Building a Home Gateway/Firewall with Linux (aka Firewalling and NAT with iptables ) Michael Porkchop Kaegler email@example.com http://www.nic.com/~mkaegler/ Hardware Requirements Any machine capable of
JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates
Firewalls slide 1 configuring a sophisticated GNU/Linux firewall involves understanding iptables iptables is a package which interfaces to the Linux kernel and configures various rules for allowing packets
1:1 NAT in ZeroShell Requirements The version of ZeroShell used for writing this document is Release 1.0.beta11. This document does not describe installing ZeroShell, it is assumed that the user already
CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University firstname.lastname@example.org
How to protect your home/office network? Using IPTables and Building a Firewall - Background, Motivation and Concepts Adir Abraham email@example.com Do you think that you are alone, connected from
Linux Firewall Linux workshop #2 Summary Introduction to firewalls Introduction to the linux firewall Basic rules Advanced rules Scripting Redundancy Extensions Distributions Links 2 Introduction to firewalls
Chapter 4 Firewall Protection and Content Filtering The ProSafe VPN Firewall 50 provides you with Web content filtering options such as Block Sites and Keyword Blocking. Parents and network administrators
Pascal Muetschard John Nagle COEN 150, Spring 03 Prof. JoAnne Holliday Computer Firewalls Introduction The term firewall was originally used with forest fires, as a means to describe the barriers implemented
Network Security Routing and Firewalls Radboud University Nijmegen, The Netherlands Autumn 2014 A short recap IP spoofing by itself is easy Typically used in conjunction with other attacks, e.g.: DOS attacks
Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet
Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as
Linux MDS Firewall Supplement Table of Contents Introduction... 1 Two Options for Building a Firewall... 2 Overview of the iptables Command-Line Utility... 2 Overview of the set_fwlevel Command... 2 File
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y 2 01 5 / 2 01 6 P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A Slides are based on slides by Dr Lawrie Brown (UNSW@ADFA) for Computer
Introduction TELE 301 Lecture 21: s Zhiyi Huang Computer Science University of Otago Discernment of Routers, s, Gateways Placement of such devices Elementary firewalls Stateful firewalls and connection
Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network
Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and
Network security Exercise 9 How to build a wall of fire Linux Netfilter Tobias Limmer Computer Networks and Communication Systems Dept. of Computer Sciences, University of Erlangen-Nuremberg, Germany 14.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
Firewalls and System Protection Firewalls Distributed Systems Paul Krzyzanowski 1 Firewalls: Defending the network inetd Most UNIX systems ran a large number of tcp services as dæmons e.g., rlogin, rsh,
Technical Support Information Broadband Module/Broadband Module Plus Configuration Guidance Setting up Remote Access to a Network Device (Mail/File Server/Camera Etc) connected to the LAN port of the Broadband
ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08, Steve/Courses/2013/s2/its335/lectures/firewalls.tex,
2 : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08, Steve/Courses/2013/s2/its335/lectures/firewalls.tex, r2958
Implementing Secure Converged Wide Area Networks (ISCW) 1 Mitigating Threats and Attacks with Access Lists Lesson 7 Module 5 Cisco Device Hardening 2 Module Introduction The open nature of the Internet